This Privacy Policy (“Policy”) describes the “Personal Data” that we collect about you, how we use it, how we share it, your rights and choices, and how you can contact us about our privacy practices. This Policy also outlines your data subject rights, including the right to object to some uses of your Personal Data by us.

“Hive.id”, “we”, “our” or “us” means Hive Identity Technologies OÜ, registry code 14535176, A. Lauteri tn 3, Tallinn 10114, Estonia.

“Personal Data” means any information that relates to an identified or identifiable individual, and can include information that you provide to us and that we collect about you, such as when you engage with our Services (e.g. device information, IP address).

“Services” means the products and services that Hive.id indicates are covered by this Policy. Our “Business Services” are Services provided by Hive.id to entities (“Business Users”) who directly and indirectly provide us with “End Customer” Personal Data in connection with those Business Users’ own business and activities.

“Sites” means hive.id and the other websites, and online services that Hive.id indicates are covered by this Policy. Collectively, we refer to Sites and Business Services as “Services”.

Depending on the context, “you” means End Customer, Representative or Visitor:

• When you do business with, or otherwise transact with, a Business User (e.g. when you are asked to verify your identity by a merchant that uses Hive.id for identity verification) but are not directly doing business with Hive.id, we refer to you as an “End Customer.”
  
• When you are acting on behalf of an existing or potential Business User (e.g. you are a founder of a company, or administer an account for a merchant who is a Business User), we refer to you as a “Representative.”
  
• When you visit a Site without being logged into a Hive.id account or otherwise communicate with Hive.id, we refer to you as a “Visitor.” (e.g. you send us a message asking for more information because you are considering to use our products).
  

Depending on the activity, Hive.id acts as a “data controller” and/or “data processor (or service provider)”.

The “data controller” is the entity which determines the purposes and means of the data processing taking place. The “data processor” is an entity acting on behalf and under the instructions of a controller in processing personal data.

Hive.id is a data controller when it determines the purposes and means of the processing taking place. These data processing activities include (1) providing the Hive.id products and services, (2) monitoring, preventing and detecting fraudulent activity on the Hive.id platform, and (3) analyzing, developing and improving Hive.id’s products and services.

Hive.id is a data processor where it is facilitating identity verifications and risk assessments on behalf of and at the direction of a Business User. Our Business Users direct us to verify identities of End Customers.

1. Personal Data that we collect and how we use and share it

Our collection and use of Personal Data changes depending on whether you are acting as End Customer, Representative or Visitor.  For example, if you are the sole owner of a business (i.e., sole proprietorship), we may collect Personal Data to onboard your business, but you may also be an End Customer that purchased goods from another Business User that uses Hive.id’s Services for identity verification.

Please visit the support web page here for additional guidance on what you can tell your users and here for additional guidance on privacy considerations for your business.

“Verification Data” as used in this Privacy Policy includes Personal Data, and may include the following:

(a) personal information about you, which mainly consists of information extracted from your identity document, for example name, gender, personal identification code, date of birth, legal capacity, nationality, citizenship, organ donor status, eye color, weight and height;

(b) identity document details, such as the type of the document, issuing country, number, expiration date, information embedded into document barcodes (may vary depending on the document) and security features;

(c) identity verification data, such as photographs taken or uploaded by you;

(d) contact details, such as address, e-mail address, telephone numbers;

(e) biometric data, such as face scans and other measurements, extracted from your photos and used to compare your face with identity document photos;

(f) publicly available relevant data, e.g. information about being a politically exposed person (PEP) and checks in public sanction lists;

(g) in some cases, some historic data of you that may have been stored with us during previous interactions within the retention periods;

1.1 End Customers

Hive.id offers Business Services to our Business Users (e.g. identity verification through online channels). When we are acting as a Business User’s service provider (also known as a data processor), we will process Personal Data in accordance with the terms of our agreement with the Business User and the Business User’s lawful instructions.

Business Users are responsible for making sure that their End Customers’ privacy rights are respected, including ensuring appropriate disclosures about data collection and use that happens in connection with their products and services. If you are an End Customer, please refer to the privacy policy or notice of the Business User you choose to do business with for information regarding their privacy practices, choices and controls.

a. Personal Data that we collect about End Customers

• If you are an End Customer, when you transact with a Business User that uses us to provide identity verification Business Services, we will receive Verification Data. We may also receive your history with the Business User. Moreover, we may obtain information provided partially, even if you choose not to complete the process or transact with the Business User.
  
• To protect against fraud, we may compare this information with information about you we collect from Business Users, financial partners, business partners, and other third party service providers and sources so that we can assess whether the person is likely to be you or a person purporting to be you.
  

b. How we use and share Personal Data of End Customers

To provide our Business Services to our Business Users, we use Personal Data, and share Personal Data of a Business User’s End Customers with the Business User.  Where allowed, we may also use End Customers’ Personal Data for Hive.id's own purposes to secure, improve and provide our Business Services and prevent fraud, loss and other harms as described below.

• The Business User you choose to transact with will receive Verification Data from us that includes your Personal Data. The Business User you choose to do business with may further share your Verification Data to third parties they authorize (e.g. other third party service providers). Please review their privacy policy to learn more.
  

• We use Personal and Verification Data about you, including information provided by you and our service providers, to perform verification Services for the Business Users that you are doing business with, to reduce fraud and enhance security.
  

• We use your Personal Data to detect and prevent losses for you, us, our Business Users and partners.
  

• We do not use, sell or share End Customer Personal Data for our marketing or advertising, or for marketing and advertising by third parties who are not the Business User with which you have transacted or attempted to transact.

If you have been asked to verify your identity or have verified your identity, please visit the following support web pages to learn more about our privacy practices for identity verification.

• Understanding identity verification process
• Biometric verification
  
• Consent to use my identity information
  
• Security of my identity data
  
• What data is collected
  
• Identity data retention
  
• Hive.id’s role in controlling and processing identity data
  
• How I delete my identity data
  

1.2 Representatives

To provide Business Services, we collect, use and share Personal Information from Representatives of Business Users (e.g. a business owner).

a. Personal Data that we collect about Representatives

• If you register for a Hive.id account for a Business User, we collect your name and account log-in credentials. If you sign up for Hive.id communications, we collect your profile information. If you are a Representative or Representative of a potential Business User, we receive your Personal Data from third parties (including data providers) in order to advertise to, market and communicate with you as described further below and in Section 2.
  

b. How we use and share Personal Data of Representatives

We generally use Personal Data of Representatives to provide the Business Services to the associated Business Users, as well as for the purposes described below.

• We use and share Personal Data of Representatives with Business Users to provide the Services you (or the Business User you are associated with) have requested.
  

• Where allowed by applicable law, we use and share Representative Personal Data with others so that we may advertise and market our Services to you. Subject to applicable law (including any consent requirements), we may advertise to you through interest-based advertising and emails and seek to measure the effectiveness of our ads. See our Cookie Policy for more details. We do not sell or share Representative Personal Data to others for their advertising purposes.

1.3 Visitors

We collect, use and share Personal Data of Visitors (who are not End Customers or Representatives).

a. Visitor Personal Data that we collect

When you visit our Sites, we will receive your Personal Data either from you providing it to us or through our use of cookies and similar technologies. See our Cookie Policy.

• When you choose to fill in a form on the Site or on third party websites featuring our advertising (e.g. LinkedIn or Facebook), we will collect the information included in the form (e.g. your contact information and other information about your question related to our Services). We may also associate a location with your visit.
  

b. How we use and share visitor Personal Data

• We use information about you that we gather from cookies and similar technologies to measure engagement with the content on the Sites, to improve relevancy and navigation, to personalize your experience (e.g. language and relevant geography) and to tailor content about Hive.id and our Services to you.
  

• As allowed by law, we use and share Visitor Personal Data with others so that we may advertise and market our Services to you.  Subject to applicable law (including any consent requirements), we may advertise our Services to you through interest-based advertising and emails, and seek to measure the effectiveness of our ads. See also our Cookie Policy.  We do not sell or share Visitor Personal Data to others for their advertising purposes.
  

• When visitors engage with our Site, we will use information we collect about and through your devices in order to provide the opportunity to engage in conversations or with chatbots to address your questions.
  

2. More ways we collect, use and share Personal Data

In addition to the ways we collect, use and share Personal Data that are described above, we also process your Personal Data as follows:

a. Personal Data Collection

• Depending on the Business Users’ implementation of our Business Services, we will collect information about:
  ‍
• Devices and browsers across our Sites and third-party websites, apps and other online services (“Third-Party Sites”),
  ‍
• Usage data associated with those devices and browsers and how you’ve engaged with our Services, including IP address, plug-ins, language used, time spent on Sites and Third-Party Sites, pages visited, links clicked, and the pages that led or referred you to Sites and Third-Party Sites. Please also see our Cookie Policy.
  ‍
• We will collect any information you choose to provide to us, for example, through support tickets, emails or social media. When you respond to Hive.id emails or surveys, we collect your email address, name and any other information you choose to include in the body of your email or responses. We will also collect your engagement data such as your registration for, attendance of, or viewing of Hive.id events and other interaction with Hive.id personnel.
  

• Where our Sites allow you to post content, we will collect Personal Data that you provide in connection with the post.

b. Personal Data Usage

In addition to the Personal Data usage described above, we use Personal Data in the following ways:

• We use analytics on our Sites to help us analyze your use of our Sites and Services and diagnose technical issues. To learn more about the cookies that may be served through our Sites and how you can control our use of cookies and third-party analytics, please see our Cookie Policy. We also collect and process Personal Data through our different Services, whether you are an End Customer, Representative or Visitor, to improve our Services, develop new Services and support our efforts to make our Services more relevant and more useful to you.
  

• We will use the contact information we have about you to perform the Services, which may include sending codes via SMS to authenticate you. If you are a Representative or Visitor, we may communicate with you using the contact information we have about you (e.g. using email, phone, text message or videoconference) to provide information about our Services and our affiliates’ services, invite you to participate in our events or surveys, or otherwise communicate with you for our marketing purposes, provided that we do so in accordance with applicable law, including any consent or opt-out requirements. For example, when you submit your contact information to us, we may use the information to follow-up with you, send you information that you have requested on our products and services and include you on our marketing information campaigns.
  

• If you choose to submit Personal Data to us to participate in an offer, program or promotion, we will use the Personal Data you submit to administer the offer, program or promotion. We will also use that Personal Data and Personal Data you make available on social media to market to you unless we are not permitted to do so.
  

• We collect and use Personal Data to help us to detect and manage the activity of fraudulent and other bad actors across our Services, to enable our fraud detection Business Services, and to otherwise seek to secure our Services against unauthorized access, use, modification or misappropriation of Personal Data and information. In connection with fraud and security monitoring, prevention, detection, and compliance activities for Hive.id and its Business Users, we receive information from service providers, third parties, and the Services we provide.
  

• We use Personal Data to meet our contractual and legal obligations related to anti-money laundering, Know-Your-Customer ("KYC") laws, anti-terrorism, export control and prohibitions on doing business with restricted persons or in certain business areas and other legal obligations. We strive to make our Services safe, secure and compliant, and the collection and use of Personal Data is critical to this effort.
  

• The Services are not directed to minors, including children under the age of 13, and we request that they not provide Personal Data through the Services. In some countries, we may impose higher age limits as required by applicable law.
  

c. Personal Data Sharing

In addition to the ways described above, we share Personal Data in the following ways:

• In order to provide Services to our Business Users and to communicate, market and advertise to Visitors and Representatives regarding our Services, we will rely on others to provide us services. Service providers provide a variety of critical services, such as hosting (storing and delivering), analytics to assess the speed, accuracy and/or security of our Services, customer service, email and auditing. We authorize such service providers to use or disclose the Personal Data that we make available to perform services on our behalf and to comply with applicable legal requirements. We require such service providers to contractually commit to protect the security and confidentiality of Personal Data they process on our behalf. Our service providers are predominantly located in the European Union and the United States of America.
  

• In the event that we enter into, or intend to enter into, a transaction that alters the structure of our business, such as a reorganization, merger, sale, joint venture, assignment, transfer, change of control, or other disposition of all or any portion of our business, assets or stock, we may share Personal Data with third parties in connection with such transaction. Any other entity which buys us or part of our business will have the right to continue to use your Personal Data, but subject to the terms of this Policy.
  

• We share Personal Data as we believe necessary: (i) to comply with applicable law; (ii) to enforce our contractual rights; (iii) to secure or protect the Services, rights, privacy, safety and property of Hive.id, you or others, including against other malicious or fraudulent activity and security incidents; and (iv) to respond to valid legal process requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include authorities outside your country of residence.

3. Legal bases for processing data

For the purposes of the General Data Protection Regulation (GDPR), we rely upon a number of legal bases to enable our processing of your Personal Data.

a. Contractual and Pre-Contractual Business Relationships. We process Personal Data for the purpose of entering into business relationships with prospective Business Users and to perform the respective contractual obligations with them. Activities include:

• Creation and management of Hive.id accounts and Hive.id account credentials;
• Accounting, auditing, and billing activities; and
• Processing of identity verification transactions, including fraud detection, communications regarding such transactions, and related customer service.
  

c. Legitimate Interests. Where allowed under applicable law, we rely on our legitimate business interests to process Personal Data about you. The following list sets out the business purposes for which we have a legitimate interest in processing your data:

• Detect, monitor and prevent fraud;
• Mitigate financial loss, claims, liabilities or other harm to End Customers, Business Users and Hive.id;
• Determine eligibility for and offer new Hive.id products and services;
• Respond to inquiries, send Service notices and provide customer support;
• Promote, analyze, modify and improve our Services, systems, and tools, and develop new products and services, including reliability of the Services;
• Manage, operate and improve the performance of our Sites and Services by understanding their effectiveness and optimizing our digital assets;
• Analyze and advertise our Services, and related improvements;
• Share Personal Data with third party service providers that provide services on our behalf and business partners which help us operate and improve our business;
• Enable network and information security throughout Hive.id and our Services;
  ‍
  

d. Consent. We may rely on consent to collect and process Personal Data as it relates to how we communicate with you and for the provision of our Services. When we process data based on your consent, you have the right to withdraw your consent at any time without affecting the lawfulness of processing based on such consent before the consent is withdrawn.

4. Your rights and choices

You may have choices regarding our collection, use and disclosure of your Personal Data:

a. Opting out of receiving electronic communications from us

If you no longer want to receive marketing-related emails from us, you may opt-out via the unsubscribe link included in such emails. We will try to comply with your request(s) as soon as reasonably practicable. Please note that if you opt-out of receiving marketing-related emails from us, (i) we retain the right to communicate to you regarding the services you receive (e.g. support and important legal notices) and (ii) our Business Users may still send you messages and/or direct us to send you messages on their behalf.

b. Your data protection rights

Depending on your location and subject to applicable law, you may have the following rights with regard to the Personal Data we control about you:

• The right to request confirmation of whether Hive.id processes Personal Data relating to you, and if so, to request a copy of that Personal Data;
  

• The right to request that Hive.id rectify or update your Personal Data that is inaccurate, incomplete or outdated;
  

• The right to request that Hive.id erase your Personal Data in certain circumstances provided by law;
  

• The right to request that Hive.id restrict the use of your Personal Data in certain circumstances, such as while Hive.id considers another request that you have submitted (including a request that Hive.id make an update to your Personal Data);
  

• The right to request that we export your Personal Data that we hold to another company, where technically feasible;
  

• Where the processing of your Personal Data is based on your previously given consent, you have the right to withdraw your consent at any time;
  

• Where we process your information based on our legitimate interests, you may also have the right to object to the processing of your Personal Data. Unless we have compelling legitimate grounds or where it is needed for legal reasons, we will cease processing your information when you object;
  

• The right not to be discriminated against for exercising these rights; and/or
  

• The right to appeal any decision by Hive.id relating to these rights.
  

You may have additional rights regarding your Personal Data under applicable law. For example, see Jurisdiction-specific provisions section under California below.

c. Process for exercising your data protection rights

To exercise your data protection rights please contact us as described below.

5. Security and retention

We make reasonable efforts to provide a level of security appropriate to the risk associated with the processing of your Personal Data. We maintain organizational, technical and administrative measures designed to protect Personal Data covered by this Policy against unauthorized access, destruction, loss, alteration or misuse. You can read more about these in our Security Policy. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure.

To help us protect Personal Data, where you have an account with Hive.id, we encourage you to use a strong password, protect that password from unauthorized use, use multi factor authentication (known as MFA or 2FA) and not use the same password for your Hive.id account as you do with other services or accounts. If you have reason to believe that your interaction with us is no longer secure (e.g. you feel that the security of your Hive.id account has been compromised), please contact us immediately.

We retain your Personal Data as long as we are providing the Services to you or our Business Users (as applicable) or for a period during which we reasonably anticipate providing the Services. Even after we stop providing Services directly to you or a Business User with which you are doing business, and even if you close your Hive.id account or finish transacting with a Business User, we may retain your Personal Data:

• to comply with our legal and regulatory obligations;
  
• to enable fraud monitoring and detection activities;
  
• to comply with our tax, accounting, and financial reporting obligations;
  

• where required by our contractual commitments and where data retention is mandated;
  

In cases where we keep Personal Data, we do so in accordance with any limitation periods and records retention obligations that are imposed by applicable law.

6. International data transfers

We may transfer your Personal Data to countries other than your own country, including to the United States. These countries may have data protection rules that are different from your country. When transferring data across borders, we take measures to comply with applicable data protection laws related to such transfer. In certain situations, we may be required to disclose Personal Data in response to lawful requests from officials (such as law enforcement or security authorities).

Where applicable law requires a data transfer mechanism, we use one or more of the following:

• Transfers to certain countries or recipients that are recognised as having an adequate level of protection for Personal Data under applicable law.
  

• EU Standard Contractual Clauses approved by the European Commission and the UK International Data Transfer Addendum issued by the Information Commissioner’s Office. You can obtain a copy of the relevant Standard Contractual Clauses.
  

• or other legal methods available to us under applicable law.

7. Updates and notifications

We may change this Policy from time to time to reflect changes in our privacy practices or relevant laws. Any changes are effective the latter of when we post the revised Policy or otherwise provide notice of the update as required by law.

We may provide you with disclosures and alerts regarding the Policy or Personal Data collected by posting them on our website and, if you are a Representative, by contacting you through your Hive.id Dashboard, or email address listed in your Hive.id account.

8. Jurisdiction-specific provisions

• Brazil. To exercise your rights, you may contact us. Brazilian residents, to whom the Lei Geral de Proteção de Dados Pessoais (“LGPD”) applies, have rights set forth in Article 18 of the LGPD.
  
• Canada. As used in this Policy, “applicable law” includes the Federal Personal Information Protection and Electronic Documents Act (PIPEDA) and “Personal Data” includes “personal information” as defined under PIPEDA.
  
• EEA and UK. To exercise your rights, you may contact us. If you are a resident of the EEA and you believe our processing of your information is not in line with the General Data Protection Regulation (GDPR), you may direct your questions or complaints to the Estonian Data Protection Inspectorate. If you are a resident of the UK, you may direct your questions or concerns to the UK Information Commissioner’s Office.
  
• Switzerland. As used in this Policy, “applicable law” includes the Swiss Federal Act on Data Protection (FADP), as revised. To exercise your rights under the FADP, please contact us.
  
• United States - California. If you are a consumer located in California, we process your personal information in accordance with California law (e.g. the "CCPA"). Hive.id uses cookies, including advertising cookies, as described in our Cookie Policy.
  

• Your Rights and Choices. As a California consumer and subject to certain limitations under the CCPA, you have choices regarding our use and disclosure of your personal information. Please also note these other California-specific rights:
  

• Exercising the right to know: You have a right to request additional information about the categories of  personal information collected, sold, disclosed, or shared; purposes for which this personal information was collected, sold, or shared; categories of sources of personal information; and categories of third parties with whom we disclosed or shared this personal information.
  
• Exercising the right to opt-out from a sale: We do not sell “Personal Information” as defined by the CCPA and have not done so in the past 12 months.
  
• Exercising the right to limit the use or sharing of Sensitive Personal Information: we do not sell or share Sensitive Personal Information as defined by the CCPA and have not done so in the past 12 months.
  
• Right to opt-out of sharing of cross-context behavioral advertising.
  

• To submit a request to exercise any of the rights described above, please contact us using the methods described in the Contact Us section below. We will verify your request by asking you to send it from the email address associated with your account or requiring you to provide information necessary to verify your identity, including name, address, photo identification, and other information associated with your account.
  
• You may designate, in writing or through a power of attorney, an authorized agent to make requests on your behalf to exercise your rights under the CCPA. Your agent may submit a request on your behalf by contacting us using the methods described in the Contact Us section below. We may still require you to directly verify your identity and confirm that you provided the authorized agent permission to submit the request.
  

• United States - Texas. As used in this Policy, “applicable law” includes the Business and Commerce Code of Texas on the Capture or Use of Biometric Identifiers, Tex. Bus. & Comm. Code § 503.001. We will permanently destroy your biometric identifiers the later of (i) one year after the purpose for collecting the identifier expires, or (ii) one year after any record-keeping obligations imposed by law in connection with the collection of the biometric identifier expire.
  

• United States - Illinois. As used in this Policy, “applicable law” includes the Illinois Biometric Information Privacy Act, 740 ILCS 14/1. We will permanently destroy your biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the End Customer’s last interaction with the Business Users, whichever occurs first.

9. Contact us

If you have any questions or complaints about this Policy, please contact us at legal@hive.id. If you are an End Customer (i.e. an individual doing business or transacting with a Business User), please refer to the privacy policy or notice of the Business User for information regarding the Business User’s privacy practices, choices and controls, or contact the Business User directly.